Law No 09-08 on the protection of individuals with regard to the processing of personal data and its implementing Decree No 2-09-165 governs personal data in Morocco. This law applies to personal data processing:

• when it is carried out by a natural or legal person established on the Moroccan territory; and
• when the data controller is not established on Moroccan territory but uses, to process personal data, automated or non-automated means located on Moroccan territory (except any processing which is used solely for purposes of transit on national territory or on that of a country the legislation of which is recognised as equivalent to that of Morocco with regard to the protection of personal data).

The regulatory authority in charge of personal data protection in Morocco, the National Commission for the Control of Personal Data Protection (CNDP), issues decisions that provide specifications regarding certain types of processing to simplify the notification requirements and standardise the processing of personal data. As such, data controllers and processors are required to comply with these decisions.

Data in Morocco is also regulated by Law No 05-20 relating to cybersecurity. This law contains provisions applicable to all data, including but not limited to personal data, processed by specific types of data controllers, such as public entities and critical infrastructures.

In addition to these laws, the GDPR and other foreign data protection regulations may apply to some entities in Morocco if the processing conducted by these entities falls within the scope of the regulation in question.

The CNDP is Morocco’s only personal data protection regulator. It has jurisdiction over any and all data controllers and processors subject to Law No 09-08 on the protection of individuals with regard to the processing of personal data.

For more than a decade, the CNDP has been dedicated to educating stakeholders about the relevant data protection regulations. Recently, the CNDP has begun issuing warnings to several major data controllers in Morocco, urging them to comply with the provisions of Law No 09-08. Additionally, the CNDP has initiated investigations into potential violations of these regulations, particularly focusing on data controllers that handle significant amounts of personal data.

Cybersecurity, on the other hand, falls under the scope of a different regulator, the General Directorate of Information Systems Security (DGSSI) within the Ministry of Defence. This regulator is in charge of monitoring, providing guidance, and receiving complaints relating to information systems security relating to entities within the scope of Law No 05-20 on cybersecurity.

The CNDP has the authority to investigate incidents related to the protection of personal data, to issue penalties if a party refuses to communicate necessary documents for its investigation, and to refer cases to the public prosecutor to initiate proceedings against any suspected offender.

Non-compliance with Law No 09-08 on the protection of individuals with regard to the processing of personal data is subject to a fine ranging from MAD10,000 to MAD600,000 and/or imprisonment of between three months and four years. The CNDP typically sends a warning to the data controller prior to any measure that may result in a fine or imprisonment.

In addition to these fines, legal persons may be punished with one of the following penalties:

• the partial confiscation of their property;
• the seizure of items that are illegal to produce, use, carry, hold, or sell; and
• the closure of the establishment(s) where the offence occurred.

So far, in practice, no fines have been issued. The CNPD has only sent warning letters to certain entities that handle large volumes of personal data and/or sensitive personal data. Most of these warnings have been directed at data controllers, including hotels, pharmaceutical companies, public universities, and other public entities.

Currently, there are no specific regulations for AI, albeit a bill is being discussed in parliament.

This does not yet apply in Morocco.

Privacy litigation in Morocco remains focused on criminal complaints rather than civil suits.

Morocco has no major privacy-related case law due to the limited number of litigation cases related to the subject.

There are no privacy-specific collective redress mechanisms in Morocco.

IoT providers, data holders, and data processing services are all subject, without distinction, to the provisions of Law No 09-08 on the protection of individuals with regard to the processing of personal data. Law No 09-08 only provides two categories under which all entities or persons involved in the processing of data may fall. These categories are data controllers and data processors.

The data controller is the person or entity that determines the purposes and means of processing personal data, whereas the data processor is the person or entity that processes personal data on behalf of the data controller.

Law No 09-08 on the protection of individuals with regard to the processing of personal data provides that the data controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where processing involves the transmission of data over a network, and against all other forms of unlawful processing.

These measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected. They must also take into account the state of the art and the costs associated with their implementation.

IOTAs the case may be, IoT services and data processing services providers in Morocco are subject to the same requirements as any other data controller or data processor, as the case may be.. Under the Moroccan data protection regulations, data processing is subject to a notification to and / /or a prior authorizationauthorisation from the CNDP.

Data controllers are also required to obtain the data subject’s consent for the processing of their personal data and to inform them of the characteristics of the data processing in accordance with the requirements set out in the applicable Moroccan regulations.       

The CNDP is the sole data protection regulator in Morocco. Consequently, IoT providers, data holders, and data processing services fall under its scope.

The use of cookies is not subject to specific regulations. It is only regulated if the cookies include personal data, such as a data subject’s IP address. In such a context, the use of cookies would be subject to a notification to and/or a prior authorisation from the National Commission for the Control of Personal Data, depending on the type of data that is processed.

Direct marketing by means of automatic calling machines, fax machines, electronic mail or similar technology that uses, in any form whatsoever, the contact details of a natural person who has not expressed their prior consent to receive direct marketing by these means is prohibited.

Employers, like any other data controller, must notify and/or obtain prior authorisation from the CNDP for each purpose of processing their employees’ personal data.

The processing of employees’ personal data for HR management purposes is subject to obtaining authorisation under decision No 298-AU-2014 from the data protection authority. The decision provides a list of data that employers may process for HR management purposes under a simplified authorisation request. If an employer processes any other data for the same or any other purpose, they must file a separate notification or authorisation request.

Employers are also required to obtain the employees’ consent for the processing of their personal data and to inform them of the characteristics of the data processing in accordance with the requirements set out in the applicable Moroccan regulations.

No specific regulations relating to the transfer of personal data in the context of asset deals exist in Morocco. If an asset deal results in a change of data controller, the new data controller would be required to notify the data subjects and the CNDP of the said change. Upon its notification, the CNDP may require the new data controller to file new declarations and/or authorisation requests.

In theory, personal data transfers can be completed freely to a list of countries specified by the data protection authority, whereas transfers to any other country are subject to authorisation from the same authority.

In practice, the CNDP requires authorisation for data transfers to all countries, which is more readily granted if the data is transferred to a country listed by the CNDP.

The transfer of personal data abroad must ensure an adequate level of protection for individuals’ privacy and fundamental rights and freedoms, particularly through standard contractual clauses governing the transfer.

Data controllers must obtain a separate transfer authorisation for each notified or authorised processing by the National Commission for the Control of Personal Data Protection.

The cybersecurity regulations provide data localisation requirements in Morocco, which apply exclusively to sensitive information systems owned by a public entity or a critical infrastructure.

This is not applicable in Morocco.

No significant developments have been recently reported in Morocco.